Email security, Vulnerability Management

Google details new tool used by Iranian threat group to download victims’ emails

A Gmail inbox is seen on a computer screen
Google's Threat Analysis Group has observed an Iranian-backed threat group using a new tool to download email inboxes called "Hyperscrape." ("spam gmail" by notoriousxl is licensed under CC BY-SA 2.0.)

Iranian-backed threat group Charming Kitten was observed in December using a novel tool called “Hyperscrape” to download email from Gmail, Yahoo and Microsoft Outlook accounts, Google’s Threat Analysis Group (TAG) detailed in a blog post Tuesday.

The tool runs on the attacker’s computer to download a victim’s inbox after logging into the victim account by using previously acquired credentials. 

The Google TAG team said it has observed the tool used on fewer than two dozen accounts in Iran, with the oldest known sample dating from 2020. However, TAG said Hyperscrape is still under active deployment and it has re-secured the accounts and notified the victims.

In the post, TAG said that Hyperscrape isn’t particularly technical in its sophistication, but is notable because of its effectiveness in helping the APT achieve its objectives.

The tool spoofs a user agent to look like an outdated browser, which enables the basic HTML view in Gmail, TAG member Ajax Bash wrote. After changing the account’s language to English and downloading messages as .eml files, it reverts back to its original settings and deletes any security emails from Google. 

TAG tested Hyperscape in a controlled environment on a Gmail account, but said functionality may differ for Yahoo and Microsoft accounts.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds